A page to show up #1 on Google when searching for "Jeremiah" (Currently #4). Only the prophet and TV show left! I have the edge, TV show is cancelled and the prophet isn't generating any new content.

The prophet, TV show, and that pesky Owyang guy going down!A page to show up #1 on Google when searching for "Jeremiah Grossman", and it FINALLY has!

Thursday, May 06, 2010

Ceding the desktop security battle, almost the war

Fresh from the FS-ISAC conference in lovely St. Pete Florida, one predominate theme was that Financial Institutions must assume the client, their customers rather, are compromised (infected with malware) and they must continue doing business anyway. Given the threat landscape this a reasonable operating parameter. The prevalence of man-in-the-browser attacks force FIs to make very tough business decisions. If a client PC infection is detected, do they continue to allow transactions with the customer while trying to detect and minimize fraudulent transactions? Further, are the FIs obligated legally or ethically to inform the customer of the infection? Or, do they suspend all transactions and incur support costs to help the customer fix their PCI before allowing money to move?

These are very challenging questions with no singular correct answer, but what really concerns me is the premise itself. If we operate with this assumption, that the client is compromised (again not unreasonable), then the good guys have ceded victory in the desktop security battle. With over 1 billion people on the Internet, that is no small loss. What’s worse is there are signs that the loss of the home network could be permanent.

Botnets are starting to target and infect routers and DSL modems. Scary, and a possible trend. Think about what this could mean. Should this become problem become pervasive, it won’t matter if PCs are disinfected, swapped out, or replaced with iPads, the bad guys are still control because they own the network below. They’ll own DNS, the routers in between, and so on. There is effectively little defensive countermeasures to protect home routers and DSL modems, which are not exactly secure to begin with, or detect if they’ve been compromised.

15 comments:

Jeremiah -- I don't think this can be classified as FUD because it's true. Or at least it's a plausible assumption, and a good one to work with if you're designing security controls. I talked about this a little bit in one of my recent blog posts about identity/authentication.

What I'm not sure about, though, is whether the battle for the desktop is over. I think the issue is how far an online service provider will extend their own influence/boundaries in order to keep their customers' client machines secure. Do we want ISPs, social networks, or banks to dictate the standard to which our client security is held? Open question, not rhetorical...

I'm glad that the FS-ISAC etc. are finally coming to realize the state of things. I've been harping on about this for several years now - particularly the aspect of businesses dictating what their own customers should do/use to protect themselves.

Back in 2008 I wrote a paper covering some of the things of how businesses can continue to operate and provide services to their customers - even if they can't trust their customers computers. The paper is called "Continuing Business with Malware Infected Customers" and its more valid today than it ever was.

We could all do our banking from Live CD setup to do a VPN into the bank with basically a client that runs from the live CD. No virus/trojans because, booted from a CD the system is immutable. Each customer could have a "customized" cd that becomes a "thing you have" authentication, along with a password "thing you know"

Anonymous and matthew.stevens: This still does not work. Low level rookit (where hackers and organized crime are going) would still be able to compromise your live CD. Only trusted computing can help here (TPM, DRTM).

Please read about trusted computing and see ITL research (http://theinvisiblethings.blogspot.com/).

We have to drastically change the way we do computing. Today's operating system are simply broken by design.

A LiveCD only valid for a specific site is not an option. I use a couple different financial institution sites which means I would need two CD's with me anytime I want to do financial work. It also means I have to reboot my machine each time. Of course, if you want to extend protection to credit card transactions, I now need a LiveCD mailed to me everytime I want to buy something from a new site: eBay, Amazon, Newegg, etc. You could create some sort of standardized LiveCD approved by multiple sites, but the more power you give to it, the closer it gets to a normal machine today. Not to mention there is always the option of infecting the memory each time it boots. An infected router or network could really cause problems there since updates would not come often if they have to mail you a new cd each time.

Ultimately, you cannot help someone who does not help themselves. If a person walks around with their bank URL and login credentials on their t-shirt, there is not much you can do to make their account secure.

When we are talking about improving security for the masses, high assurance web site owners need to do something about the other end of the connection... they CANNOT rely on the socially engineers, non-technically savvy and non risk aware end users they typically serve.

Regardless of the myriad of technology we may attempt to apply to the problem, the first step is for the web site owners to step up and take ownership or consider turning off their service (hint: banks save|make too much $$ from online FI to stop). Heck, they turned on HTTPS so they made a value judgment on protecting the data in transit. They just need to extend it one more step... to the desktop, as it is their brand, their cost efficiencies, etc that compels their web sites to be available in the first place.

"If a person walks around with their bank URL and login credentials on their t-shirt, there is not much you can do to make their account secure."

ARGH, that's exactly it. Your router knows your bank url, and can inject a keylogger into any executable or firmware update you download. T-shirt or not, there is not much you can do to make your account secure if your local network and/or desktop is compromised.

LiveCDs aren't the way. Banks need to limit the kinds of transactions that can happen online, and we need to stop pretending that users have secure systems.

You can do a lot with an insecure system, like email, for instance. But there is a whole class of functionality that you would just never build on email because you know it is transmitted over public networks and stored in discoverable archives.

Banking, medical records, legal advice, intimate conversation: none of these things should really be done over the internet; or they should be strictly limited to reversible, discoverable actions.